| IPMA Home | IPMA News |
IPMA News : January 2004
Edited By Mary Ellen Bradley and Andy Marcelia
IPMA News : January 2004Edited By Mary Ellen Bradley and Andy Marcelia |
|
Top 10 Security Practices for Senior Managers
Imaging Project Cuts Paperwork and Costs at DOL
Summary of December 11, 2003 IPMA Board Meeting
-- by Mary Lou Griffith, DIS
We all understand that computer security incidents are on the rise and that agencies spend considerable effort and resources to clean up after an incident and to prevent the next attacks from happening. The purpose of this article is to provide senior management with some recommended security management practices. It excerpts recommendations from Common Sense Guide for Senior Managers, Top Ten Recommended Information Security Practices produced by the Internet Security Alliance, consisting of members of Carnegie Mellon University’s Software Engineering Institute; its CERT Coordination Center; the Electronic Industries Alliance (EIA), a federation of trade associations; and public and private member corporations. This group encourages the sharing of their work because "through sharing and adopting commonly accepted, good security practices, all organizations can begin to successfully manage their security risks."
PRACTICE #1: General Management
Managers throughout the organization consider information security a normal part of their responsibility and the responsibility of every employee.
PRACTICE #2: Policy
Develop, deploy, review, and enforce security policies that satisfy business objectives.
PRACTICE #3: Risk Management
Periodically conduct an information security risk evaluation that identifies critical information assets (e.g., systems, networks, data), threats to critical assets, asset vulnerabilities, and risks.
PRACTICE #4: Security Architecture & Design
Generate, implement, and maintain an enterprise- (or site-) wide security architecture, based on satisfying business objectives and protecting the most critical information assets.
PRACTICE #5.1: User Issues: Accountability and Training
Establish accountability for user actions, train for accountability and enforce it, as reflected in organizational policies and procedures. Users include all those who have active accounts such as employees, partners, suppliers, and vendors.
PRACTICE #5.2: User Issues: Adequate Expertise
Ensure that there is adequate in-house expertise or explicitly outsourced expertise for all supported technologies (e.g., host and network operating systems, routers, firewalls, monitoring tools, and applications software), including the secure operation of those technologies.
PRACTICE #6.1: System & Network Management: Access Control
Establish a range of security controls to protect assets residing on systems and networks.
PRACTICE #6.2: System & Network Management: Software Integrity
PRACTICE #6.3: System & Network Management: Secure Asset Configuration
Provide procedures and mechanisms to ensure the secure configuration of all deployed assets throughout their life cycle of installation, operation, maintenance, and retirement.
PRACTICE #6.4: System & Network Management: Backups
Mandate a regular schedule of backups for both software and data.
PRACTICE #7.1: Authentication & Authorization: Users
Implement and maintain appropriate mechanisms for user authentication and authorization when using network access from inside and outside the organization. Ensure these are consistent with policies, procedures, roles, and levels of restricted access required for specific assets.
PRACTICE #7.2: Authentication & Authorization: Remote and Third Parties
Protect critical assets when providing network access to users working remotely and to third parties such as contractors and service providers. Use network-, system-, file-, and application-level access controls and restrict access to authorized times and tasks, as required.
PRACTICE #8: Monitor & Audit
Use appropriate monitoring, auditing, and inspection facilities and assign responsibility for reporting, evaluating, and responding to system and network events and conditions.
PRACTICE #9: Physical Security
Control physical access to information assets and IT services and resources.
PRACTICE #10: Continuity Planning & Disaster Recovery
Develop business continuity and disaster recovery plans for critical assets and ensure that they are periodically tested and found effective.
The full text of the document can be found at: http://www.isalliance.org/news/BestPractices.pdf
-- by Jim Henly and Jeff Smith, Department of Licensing (DOL)
The Washington Department of Licensing faced a tremendous challenge this last biennium; it needed to develop a cost effective system that would allow rapid access to vehicle title information. This new system would also need to allow for efficient storage of literally thousands of pages of documents that come into the agency on a daily basis.
There are more than 8,000 vehicle and vessel title transactions processed in the County Auditor, Subagent and DOL offices each day. Each transaction has approximately 5 pages of supporting documents associated with it making up 40,000 pages of work that are sent to DOL Headquarters to be sorted, examined, microfilmed and stored for retrieval.
Eight people within the Investigative Research Unit (IRU) process research requests related to title applications and supporting documents. Processing requests from law enforcement, the courts, the public, vehicle dealers and others was a manual and time consuming process. It included looking up information on computer, determining what microfilm reel the title is on, locating the microfilm and then finding the title on that particular reel of microfilm. The standard for turnaround on requests was three hours for a rush job, and two days for routine requests.
To solve the problem the Strategic Technology Services (STS) unit in information services teamed up with the Vehicle Services Division to design and implement a document imaging solution that would save the agency both time and money.
STS designed a workflow imaging solution that eliminates most of the title paper handling, provides on-line title examining, enables fast and easy access to title images and provides management with critical workflow process data.
The objective was to employ imaging technology to improve workflow, storage and retrieval of titling documentation. The imaging technology provided an opportunity to significantly improve customer service and provide a technology platform for future improvements.
The project was considered more successful than planned by the Vehicle Services division. Some of the main improvements include:
The appropriation for the project was $690,000. The project was completed on time and within the budgeted amount. In addition, the project is expected to pay for itself through reductions in FTEs and associated cost avoidance for storing paper documents.
The public also received tremendous benefits from this project:
"The technology used for this project provides an IT infrastructure that delivers fundamental value -- improved reliability, better availability, and increased scalability, said Jim Henly, manager for the project.
"Flexible agency standard tools helped match the design and deployment to our organizational and network needs," Henly said. "In addition, it helped us manage our network proactively by enforcing agency policy, automating tasks, and simplifying updates."
When combined with selected products and services from the agency’s hardware and software standards list it provided choices that helped get the greatest return on the agency’s infrastructure investments.
"The products used for this project were MS SQL 2000, NT based Security with Visual Basic and ASP programming," Henly said. "It is important to note that proprietary document management imaging software was not used in this project. This will save over $100,000 per year in on-going software license and maintenance costs. This architecture allows for a more flexible hardware and software environment."
-- by Mary Ellen Bradley, IPMA Communications Committee Co-Chair
The Information Processing Management Association recently established two scholarships. The object is to help deserving students meet their educational goals in the computer field.
The first was an $18,000 donation to establish an endowed Information Processing Management Association Scholarship in Computer Information Systems at South Puget Sound Community College (SPSCC) -- $3,000 will be used to fund a $1,000 annual scholarship for the academic years of 2004-05, 2005-06 and 2006-07 and the $15,000 balance will be directed to scholarship endowment. Beginning in year four, the college hopes that the investment income will provide annual awards in perpetuity. Every March, SPSCC distributes an annual scholarship booklet to current students and to high school students in the college’s service district. The IPMA scholarship is for students pursuing studies in the SPSCC Computer Information Systems Program with preference given to students currently working in, or planning to work in, Washington State government agencies.
The second scholarship was established at The Evergreen State College (TESC) with a $25,000 gift from the IPMA. Recipients of awards from this fund will be known as the Information Processing Management Association Scholars. Recipients of the IPMA Scholarships should demonstrate interest in Information Management and/or Computer Science, and be either current Washington State employees attending Evergreen or show an interest in working in Washington State government after graduation. TESC will provide the IPMA with the names of scholarship winners.
5 Years Ago -- January 1999 IPMA Newsletter
10 Years Ago -- January 1994 IPMA Newsletter
15 Years Ago -- January 1989 IPMA Newsletter
20 Years Ago -- January 1984 Association of Data Processing Managers Newsletter
25 Years Ago -- January 1979 Association of Data Processing Managers Newsletter
Members Present: Jim Albert, Phil Grigg, Sheryl Hall, Dennis Jones, Dennis Laine, Andy Marcelia and Christy Ridout. Phil Coates, CFO was also present.
Christy Ridout, IPMA Vice-Chair, opened the December 2003 meeting of the IPMA Board of Directors at 7:40 a.m.
REPORTS
Secretary/Treasurer: The minutes from the November 2003 Board meeting were approved.
The Board approved the November 2003 financial status and activities reports.
Business Planning: Christy Ridout distributed the investment portfolio report received from Merrill Lynch and discussed the current status.
Forum: Dennis Laine reported that several planning committee meetings were held in the past month. He and other committee members on the board concurred that planning is proceeding on schedule. Dennis attributed this to the fact that committee membership has been stable for several years and everyone knows what has to be done and how to proceed.
Dennis submitted a draft budget for the 2004 Forum to Phil Coates.
Executive Seminar: Phil Grigg reported that he and Darrel visited the Shilo at Ocean Shores. The last time the IPMA held an Executive Seminar there the meeting room proved to be inadequate, so Phil and Darrel worked out a better solution. They have a contract ready for signature to hold the 2005 Executive Seminar at the Shilo pending approval of the board. The board approved and directed Phil to sign the contract. Phil stated that he and Darrel had also secured an option for holding the 2006 Executive Seminar at the Shilo.
Professional Development: Sheryl Hall reported that the January 22, 2004, event "Disaster Recovery / Business Continuity" is on track and ready to go.
Dennis Jones presented a proposal for the IPMA to provide its own microphones based on research done by Jim Andersen. The proposal showed that for a total of about $370 the IPMA would have two wireless microphones, one six-way mixer, and a variety of cables for connection to a facility's audio system. The board agreed that the financial commitment was minimal and the potential improvement in availability of equipment make the purchase a good decision.
Prior to purchasing the equipment, Sheryl, Dennis, and Jim Andersen need to visit Saint Martin's to review with them issues and procedures. For example, would St. Martin’s allow IPMA to use the microphones with their audio systems. Once that is resolved, the next step is to test the proposed equipment for compatibility. When those two issues are resolved, several other things need to be determined: for example, could the equipment be kept at Saint Martin's; and, if we have trouble with our equipment at an event, can we expect help from Saint Martin's? Sheryl and Dennis will report back at the next meeting and possibly seek approval to buy the equipment.
Communications: Andy Marcelia reported that the December IPMA News was released December 9. Andy will provide an article for the January issue.
OTHER BUSINESS:
Storage Space: Several issues regarding IPMA’s need for better storage space were discussed. Among them, the need for committees to be able to access the new audio equipment when they need it for an event, as well as storage for various event banners and supplies. Additionally, Phil Coates stated that the current arrangement for long term storage of IPMA contractual and financial documents is not adequate. The board directed Phil to explore rental of a small storage unit that could accommodate the IPMA needs on an ongoing basis and report back to the board at the January meeting.
Scholarship: Jim Albert had the contract from Evergreen State College that would establish an endowed scholarship in the name of the IPMA for an amount of $25,000. It had to be signed by Mike McVicker as IPMA board Chair and Phil Coates as IPMA CFO. Phil Coates is to send the signed documents and a check for $25,000 to Evergreen as soon as possible.
Board Meeting Location: The January 8th board meeting will be held at the Shipwreck Cafe.
The meeting was adjourned at 8:14 a.m.
IPMA, P.O. Box 1943, Olympia, WA 98507-1943